Beta - Lsass.exe is back

Discussion in 'ESET NOD32 v3 Beta Forum' started by Blackspear, Jul 22, 2004.

Thread Status:
Not open for further replies.
  1. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    The mongrel is back, Lsass.exe just reappeared, it hasn't been around for about a month.

    Click cancel and you have 60 seconds to abort shutdown by going to:

    Start
    Run
    type in "Shutdown -a" without the quotation marks...

    Cheers :D
     
  2. rumpstah

    rumpstah Registered Member

    Joined:
    Mar 19, 2003
    Posts:
    486
  3. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia

    Attached Files:

  4. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,719
    Location:
    Texas
    Blackspear

    Have you done a scandisk lately?
     
  5. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    No, but I shall, don't think this will be it though. I am getting similar error messages with IEXPLORE.exe, only since last night after installing the new Beta.

    Cheers :D
     
  6. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,719
    Location:
    Texas
    You may be right. Doesn't hurt to try the simple things first. :D :cool:
     
  7. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Exactly :D

    Cheers :D
     
  8. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,719
    Location:
    Texas
    Does the event viewer show anything unusual? XP event viewer that is.
     
  9. VikingStorm

    VikingStorm Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    387
    What other programs do you have running? There was something similar to those memory errors you keep getting on some other program that was suppose to prevent buffer overflows.
     
  10. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Scandisk (Checkdisk) came up all ok.

    Event log shows the following:

    Event Type: Error
    Event Source: Winlogon
    Event Category: None
    Event ID: 1015
    Date: 23/07/2004
    Time: 1:06:16 PM
    User: N/A
    Computer: XXXXX
    Description: A critical system process, C:\WINDOWS\system32\lsass.exe, failed with status code c0000005. The machine must now be restarted.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    And that's all there is...

    Cheers :D
     
  11. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Belarc Information


    Computer Profile Summary
    Computer Name: XXXXX (in WORKGROUP)
    Profile Date: Saturday, 24 July 2004 1:52:17 AM
    Advisor Version: 6.1f
    Windows Logon: PC User

    Click here for Belarc's PC Management products, for large and small companies.

    Operating System System Model
    Windows XP Professional Service Pack 1 (build 2600) No details available
    Processor a Main Circuit Board b
    2.80 gigahertz Intel Pentium 4
    8 kilobyte primary memory cache
    512 kilobyte secondary memory cache Board: Gigabyte Technology Co., Ltd. 8IG1000-G x.x
    Bus Clock: 200 megahertz
    BIOS: Award Software International, Inc. F3 03/04/2004
    Drives Memory Modules c,d
    200.05 Gigabytes Usable Hard Drive Capacity
    119.94 Gigabytes Hard Drive Free Space

    ASUS CRW-5224A [CD-ROM drive]
    HL-DT-ST CD-ROM GCR-8521B
    3.5" format removeable media [Floppy drive]

    ST3200822A [Hard drive] (200.05 GB) -- drive 0, s/n 3LJ0R916, rev 3.01, SMART Status: Healthy 496 Megabytes Installed Memory

    Slot 'A0' has 256 MB
    Slot 'A1' is Empty
    Slot 'A2' has 256 MB
    Slot 'A3' is Empty
    Local Drive Volumes


    c: (on drive 0) 200.05 GB 119.94 GB free
    Network Drives
    None detected
    Users Printers
    local user accounts last logon
    PC User 24/07/2004 1:37:46 AM (admin)
    local system accounts
    Administrator never (admin)
    Guest never
    HelpAssistant never
    SUPPORT_388945a0 never

    DISABLED Marks a disabled account; LOCKED OUT Marks a locked account

    Hewlett-Packard HP-GL/2 Plotter on \\FULLBACK\d1plt1
    Microsoft Office Document Image Writer Driver on Microsoft Document Imaging Writer Port:
    Controllers Display
    Standard floppy disk controller
    Intel(R) 82801EB Ultra ATA Storage Controllers
    Primary IDE Channel [Controller]
    Secondary IDE Channel [Controller] Intel(R) 82865G Graphics Controller [Display adapter]
    Hitachi CML174SX [Monitor] (17.1"vis, s/n H3B004394, February 2003)
    Bus Adapters Multimedia
    Intel(R) 82801EB USB Universal Host Controller - 24D2
    Intel(R) 82801EB USB Universal Host Controller - 24D4
    Intel(R) 82801EB USB Universal Host Controller - 24D7
    Intel(R) 82801EB USB Universal Host Controller - 24DE
    Intel(R) 82801EB USB2 Enhanced Host Controller - 24DD MPU-401 Compatible MIDI Device
    Realtek AC'97 Audio
    Standard Game Port
    Communications Other Devices
    Realtek RTL8139/810x Family Fast Ethernet NIC #2
    Network Card MAC Address: 00:00:1C:D8:62:22
    Network IP Address: 144.133.221.206 / 22 HID-compliant consumer control device
    HID-compliant consumer control device
    HID-compliant device
    USB Human Interface Device
    USB Human Interface Device
    Built-in Infrared Device
    HID Keyboard Device
    HID-compliant mouse
    USB Composite Device
    USB Root Hub
    USB Root Hub
    USB Root Hub
    USB Root Hub
    USB Root Hub
    Virus Protection
    No details available
    Installed Microsoft Hotfixes [Back to Top]
    DataAccess
    no verification data Q832483 on 24/03/2004 (details...)
    no verification data KB870669 (details...)
    DirectX
    DX9
    SP1:
    passed verification KB839643-DIRECTX9 on 8/06/2004 (details...)
    Internet Explorer
    no verification data SP1 (SP1)
    no verification data Q330994 (details...)
    no verification data Q823353 (details...)
    no verification data Q831167 (details...)
    no verification data Q832894 (details...)
    no verification data Q837009 (details...)
    Windows Media Player
    passed verification Q828026 (details...)
    passed verification KB837272 (details...)
    SP0
    passed verification Q828026 on 24/03/2004 (details...)
    Windows XP
    SP0
    passed verification KB837272 on 2/05/2004 (details...)
    SP2
    passed verification Q322011 on 24/03/2004 (details...)
    no verification data Q327979 on 24/03/2004 (details...)
    passed verification KB810243 on 24/03/2004 (details...)

    Windows XP
    SP2 (continued)
    passed verification Q814995 on 24/03/2004 (details...)
    passed verification KB817778 on 24/03/2004 (details...)
    passed verification KB820291 on 24/03/2004 (details...)
    passed verification KB821253 on 24/03/2004 (details...)
    passed verification KB822603 on 24/03/2004 (details...)
    passed verification KB823182 on 24/03/2004 (details...)
    passed verification KB824105 on 24/03/2004 (details...)
    passed verification KB824141 on 24/03/2004 (details...)
    passed verification KB824146 on 24/03/2004 (details...)
    passed verification KB825119 on 24/03/2004 (details...)
    passed verification KB826939 on 24/03/2004 (details...)
    passed verification KB826942 on 24/03/2004 (details...)
    passed verification KB828028 on 24/03/2004 (details...)
    passed verification KB828035 on 24/03/2004 (details...)
    passed verification KB828741 on 2/05/2004 (details...)
    passed verification KB833407 on 6/05/2004 (details...)
    passed verification KB833998 on 2/05/2004 (details...)
    passed verification KB835732 on 2/05/2004 (details...)
    passed verification KB837001 on 2/05/2004 (details...)
    passed verification KB839645 on 14/07/2004 (details...)
    passed verification KB840315 on 14/07/2004 (details...)
    passed verification KB840374 on 11/05/2004 (details...)
    passed verification KB841873 on 14/07/2004 (details...)
    passed verification KB842773 on 14/07/2004 (details...)

    Click here to see all available Microsoft security hotfixes for this computer.

    verifies OK Marks a HotFix that verifies correctly
    fails verification Marks a HotFix that fails verification
    (note that failing hotfixes need to be reinstalled)
    Unmarked HotFixes lack the data to allow verification
    Software Licenses [Back to Top]

    Belarc - Advisor d8e2896b
    Microsoft - Internet Explorer 55274-645-1896202-23835 (Key: XXXXX-XXXXX-XXXXX-XXXXX-XXXXX)
    Microsoft - MediaPlayer 69808-351-1370217-04420
    Microsoft - Office Professional Edition 2003 73931-640-0000106-57834 (Key: XXXXX-XXXXX-XXXXX-XXXXX-XXXXX)
    Microsoft - WebFldrs XP 12345-111-1111111-09388
    Microsoft - Windows XP Professional 55274-645-1896202-23835 (Key: XXXXX-XXXXX-XXXXX-XXXXX-XXXXX)
    Software Versions [Back to Top]
    Adobe Reader Version 6.0.0.2003051900 *
    Advanced Process Manipulation *
    Ahead Software AG - Cover Designer Version 2, 3, 0, 6 *
    Ahead Software AG - InfoTool Application Version 2, 2, 1, 0 *
    Ahead Software AG - Nero BackItUp Version 1, 2, 0, 15 *
    Ahead Software AG - Nero Burning ROM Version 6, 3, 1, 15 *
    Ahead Software AG - Nero CD - DVD Speed Version 3, 0, 1, 0 *
    Ahead Software AG - Nero DriveSpeed Version 2, 0, 2, 0 *
    Ahead Software AG - Nero ImageDrive Version 2, 27, 0, 4 *
    Ahead Software AG - Nero SoundTrax Version 1, 0, 0, 28 *
    Ahead Software AG - Nero StartSmart Version 1, 0, 1, 18 *
    Ahead Software AG - Nero Wave Editor DLL Version 2, 0, 0, 32 *
    Apple Computer, Inc. - QuickTime QuickTime 6.1c *
    Belarc, Inc. - BelManage Client Version 6.1f *
    BigPond Broadband Cable Login *
    BST - BSPlayer v1.0 Version 1.0.0.0 *
    Cinematronics - 3D Pinball Version 5.1.2600.0 *
    CoffeeCup Free Viewer Plus Version 2.6.0.0 *
    CoffeeCup Software - Quick Viewer Version 2.5.0.0 *
    Cottonwood Software - File-Ex Version 3.0.0.24 *
    Created by javacool. - FileChecker v1.7 Version 1.07.0001 *
    Eraser Version 5.7 *
    ewido security suite Version 0, 1, 0, 101 *
    FaberBox - Faber Toys Version 2.05.0240 *
    filecheckertutorial Version 1.00 *
    Free Spider *
    Groom-A-Zebu (tm) - Proxomitron Naoko-4.5 2003-6-1 *
    home - Ostat Version 0.32.0265 *
    Inno Setup Version 51.13.0.0 *
    InstallDriver Module Version 7.07 *
    Intel(R) Common User Interface Version 7.0.0.3762 *
    IrfanView Version 3.80 *
    Java Web Start *
    javaw.exe *
    Jordan Russell - Inno Setup Uninstaller Version 51.7.0.0 *
    Karen's Power Tools Version 2.02.0003 *
    Lavasoft Ad-aware Plus Version 6.0.0.0 *
    M&R Technologies, Inc. - PCStitch version 6 Version 6.02 *
    M&R Technologies, Inc. - The DMC Floss Editor Version 6.02 *
    Macromedia, Inc. - Flash 4.0 Version 4,0,7,0 *
    Microsoft (R) .NET Framework Version 1.1.4322.573 *
    Microsoft (r) Windows Script Host Version 5.6.0.8515 *
    Microsoft Application Error Reporting Version 11.0.5515 *
    Microsoft Clip Organizer Version 11.0.5510 *
    Microsoft Corporation - Internet Explorer Version 6.00.2800.1106 *
    Microsoft Corporation - Messenger Version 4.7 *
    Microsoft Corporation - Office Source Engine Version 11.0.5525 *
    Microsoft Corporation - SelfCert Version 11.0.5510 *
    Microsoft Corporation - Windows Installer - Unicode Version 2.0.2600.1106 *
    Microsoft Corporation - Windows Journal Viewer Version 1.5.2315.3 *
    Microsoft Corporation - Windows Movie Maker Version 2.0.3312.0 *
    Microsoft Corporation - Windows® NetMeeting® Version 3.01 *
    Microsoft Corporation - Zone.com Version 1.2.626.1 *
    Microsoft Office 2003 Version 11.0.6113 * Microsoft Office Document Imaging Version 11.0.1897.0 *
    Microsoft Office InfoPath Version 11.0.5531 *
    Microsoft Office Outlook Version 11.0.5510 *
    Microsoft Office Picture Manager Version 11.0.5510 *
    Microsoft Office Save My Settings/Profile Wizard Version 11.0.5510 *
    Microsoft Open Database Connectivity Version 3.520.9030.0 *
    Microsoft Windows Media Player Version 6.4.09.1125 *
    Microsoft(R) MSN (R) Communications System Version 7.02.0005.2202 *
    Microsoft(R) Windows Media Player Version 9.00.00.2980 *
    Microsoft® Schedule+ for Windows 95(TM) Version 7.5 *
    Microsoft® Visual Studio .NET Version 7.00.9466 *
    Microsoft® Windows(TM) Shell PowerToys Version 96.02.06 *
    MindVision - Installer VISE 2.8.3 Version 2.8.3 *
    MindVision Software - Installer VISE Version 3.1.1 *
    Mozilla - Firefox Version 1.7: 2004070723 *
    NetBeans IDE 3.5.1 *
    NOD32 *
    NOD32 Control Center *
    NOD32 Kernel Service *
    none - burnatonce Version 0.99.0005 *
    OpenOffice.org 1.1.1 *
    OpenOffice.org 1.1.1 Version 6.00.8753 *
    Overnet Application Version 0.53.0.0 *
    PepiMK Software - Spybot - Search & Destroy Version 1, 3, 0, 12 *
    PGP Version 8.0.2 *
    PGPsdk Version 3.0.2 *
    Prismatic Software - DupDetector Application Version 3.101 *
    RealNetworks, Inc. - RealPlayer (32-bit) Version 0.1.0.3018 *
    RealNetworks, Inc. - RealPlayer (32-bit) Version 6.0.12.857 *
    RealNetworks, Inc. - RealPlayer (32-bit) Version 7.0.0.2400 *
    Realtek Sound Manager Version 5.1.0.24 *
    RegCleaner The same as the FileVersion *
    Safer Networking Limited - SpyBot-S&D Version 1, 3, 0, 12 *
    Script Defender *
    Script Defender Updates *
    Sierra Entertainment, Inc. - Hoyle Casino Version 1, 0, 0, 0 *
    SmartLine, Inc. - Active Ports Version 1, 4, 0, 0 *
    SpywareBlaster AutoUpdate Version 3.02 *
    SpywareBlaster Version 3.02 *
    SpywareGuard LiveUpdate Version 2.02.0001 *
    SpywareGuard Version 2.02.0001 *
    Strip'n Score *
    SunJavaUpdateSched *
    SWE von Schleusen - UltimateZip Quick Start Version 1.1 *
    SWE von Schleusen - UltimateZip Self-Extractor Version 2.7 *
    SWE von Schleusen - UltimateZip Version 2.7 *
    Telstra - BigPond Broadband Cable Login Version 1.00 *
    WinImage Self Extractor file Version 6.10.6100 *
    WinZip Version 8.0 (3105) *
    Wizards to adjust .NET Framework security, assign trust to assemblies, and fix broken .NET applications. Version 1.0.5000.0 *
    Zone Labs Client Version 5.0.590.043 *
    Zone Labs Inc. - Internet Access Monitor Version 5.0.590.043 *
    Zone Labs Inc. - TrueVector Service Version 5.0.590.043 *
    Zone Labs Uninstaller Version 5.0.590.43 *
    * Click to see where software is installed.
    a. Megahertz measurement may be inaccurate if other programs were busy during last analysis.
    b. Data may be transferred on the bus at one, two, or four times the Bus Clock rate.
    c. Memory slot contents may not add up to Installed Memory if some memory is not recognized by Windows.
    d. Memory slot contents is reported by the motherboard BIOS. Contact system vendor if slot contents are wrong.
    e. This may be the manufacturer's factory installed product key rather than yours.
    Copyright 2000-4, Belarc, Inc. All rights reserved.
    Legal notice. U.S. Patents 6085229, 5665951 and Patents pending.


    Cheers :D
     
  12. AgentX

    AgentX Registered Member

    Joined:
    Dec 25, 2003
    Posts:
    44
    Location:
    The Intarweb
    Lsass.exe problem is very annoying indeed. To get rid of it, install the fix mentioned by
    rumpstah ...it should fix the problem. I've noticed that even after installing it, the error
    returns back after a few days of clean operation. In such a case, reinstall the same fix.

    Regards,
    AgentX
     
  13. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    I will wait for another Beta to come out first. No one should have to do this, the problem appeared, then they brought out a pre-release Beta, that sorted it out, several pre-release Beta's later and everything was still ok. Then when the actual Beta is released to the public the problem returns... This appears to come down to the Eset and their programmers...

    Cheers :D
     
  14. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,719
    Location:
    Texas
    Have you tried running your computer without NOD to see if the error occurs?

    It seems to affect certain configurations. I don't get this error.
     
  15. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    The trouble is, it is VERY intermitant, it has only appeared twice in the last 48hrs, As well I have had 2 other error messages as posted elsewhere; IEXPLORE.exe and AcroRd32.exe as posted in another thread...

    ALL error messages are in the same format, and have ONLY appeared since installing the NEW Beta, they had dissapeared with pre-release Beta.

    Cheers :D
     
    Last edited: Jul 23, 2004
  16. PeterVO

    PeterVO Registered Member

    Joined:
    Aug 25, 2003
    Posts:
    87
    Location:
    Belgium, Leuven
    Hello,

    I've the same error messages as Blackspear but haven't the beta of NOD installed. It appears as a non responding pc when for example starting a new application.
    I noticed at one occasion two icons of LookNStop in the system tray.
    What's the solution for this problem and what the cause of it? I truly hope not a complete re-install of WinXP.

    Kind regards,

    PeterVO
     
  17. rumpstah

    rumpstah Registered Member

    Joined:
    Mar 19, 2003
    Posts:
    486
    Blackspear: What is your distribution version for lsasrv.dll?

    Mine is 5.1.2600.1361
     
  18. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Same here: 5.1.2600.1361

    Cheers :D
     
  19. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    This problem with Lsass.exe goes back prior to the Beta, see the following thread:

    https://www.wilderssecurity.com/showthread.php?t=35206

    It appears to be a work in process...

    Cheers :D
     
  20. DonKid

    DonKid Registered Member

    Joined:
    Jun 27, 2004
    Posts:
    566
    Location:
    S?o Paulo, Brazil
    Blackspear,

    It stranges.In my last email I told you that I had the lsass.exe problem when I closed or opened my internet connection and with this beta version this problem is over. :D

    Best Regards,

    DonKid.
     
  21. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    It is a very strange problem indeed, tell me about it :D

    I have run Nod32 for 2 years now without ever coming across the Lsass.exe error message. My first encounter was through a customer trying to VPN. I then had the problem appear a few days later on my home PC. I was given a pre-release Beta to try, it didn't solve the problem. The next pre-release did resolve it, and every pre-release thereafter has been fine.

    Then along comes the actual Beta and the problem returns with a few friends, as in; IXPLORE.exe and AcroRd32.exe, I can no longer open a ".pdf" file. So now I am waiting for a further release of the Beta.

    I can not replicate the error through anything, it just reappears every now and then. I have not changed any of my settings or programs, I have not installed any new programs.

    I can replicate the AcroRd32.exe error message by trying to open a ".pdf" file.

    The error has not occurred for 24 hours, but this can be the case, it is very intermittent :mad:

    Cheers :D
     
  22. tazdevl

    tazdevl Registered Member

    Joined:
    May 17, 2004
    Posts:
    837
    Location:
    AZ, USA
    I'm getting a series or application and service errors as well. lsass, iexplore, svchost and a couple others...
     

    Attached Files:

  23. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,719
    Location:
    Texas

    Do a search for lsass.exe. Do you have two versions, one in windows\system32 and one in windows\servicepackfiles?

    Those are on my xp machine. I have no problems here.
     
  24. DonKid

    DonKid Registered Member

    Joined:
    Jun 27, 2004
    Posts:
    566
    Location:
    S?o Paulo, Brazil
    Well I checked my PC and I have 2 lsass.exe. 1 in system32 and the other in c:\windows\servicepackfiles\i386.
    I never saw a thing like that.I tried to open pdf files and it's ok too. So far so good.Have you tried to format your PC ?

    Best Regards,

    DonKid.
     
  25. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    This won't be necessary, like I said before, after a pre-release the problem was fixed, so I'll just hang tight for another release to come along...

    Cheers :D
     
Thread Status:
Not open for further replies.